How to generate ECDSA/EC certs ?
How to generate ECDSA/EC certs ?
The Elliptic Curve Digital Signature Algorithm (ECDSA) is a variant of the Digital Signature Algorithm (DSA) which uses elliptic curve cryptography. ArubaOS provides Elliptic Curve Digital Signature Algorithm (ECDSA) certificate support for EAPTLS v1.2 (AAA FastConnnect), IKE server, and Site to site VPN
Feature Notes : Support for Suite B algorithms was introduced in Windows Vista, and certification authority (CA) support for Suite B algorithms was introduced in Windows Server 2008.
Microsoft web enrollment (https://<server IP>/certsrv) is not supported for Version 3 certs (EC certs are considered V3)
The controller performs native certificate authentication using IKEV2 and therefore the certs must be capable of ECDSA (default templates only support RSA)
To generate an elliptic curve CSR on controller:
(hostname)#crypto pki csr ec curve_name <secp256r1 or secp384r1> common_name <name> country <US> state_or_province <state> city <city> organization <org> unit <unit> email <email>
CA Certificate Generation process :
Reinstall AD Certificates Services role and navigate to link for step by step instructions on generating an EC CA cert
On the Configure Cryptography for CA page, select the following options, and then click Next:
For CSP, select ECDSA_P256#Microsoft Software Key Service Provider.
For Key Character Length, select 256.
For the Hash Algorithm, select SHA256.
Server Certificate Generation process :
Duplicate web server template and follow the steps in the link to create an EC server cert
On the Cryptography tab, define the algorithm and key size to be used when requesting this certificate.
For Algorithm name list, select ECDH_P256,
For Minimum key size list, type 256.
For the Request hash list, select SHA256.
User Certificate Generation process :
Duplicate user template and follow the same steps that were used to create the EC server cert
To sign the controller CSR use the following elevated command on the CA signing the cert (must run the command from the same folder that the CSR is stored)
C:\Users\admin\Desktop>certreq.exe –submit –attrib “certificateTemplate:<template name>” <filename>.csr <filename>.cer
To request a user cert follow the below steps:
- Type certmgr.msc in the search pane (start / search);
- Right click on Personal folder;
- Click on All Tasks;
- Click Request New Certificate (must have network access to CA in your domain);
- Click Next , click Next;
- Check the box of the certificate template name you are requesting (User Suite B);
- Click Enroll
Uploading elliptic curve server and CA certs to controller :
Navigate to Configuration> Management > Certificates page from the Upload tab.
Copy the exported certificates to your management station. The first upload will be for the CA Root elliptic curve certificate.
- Provide a Certificate Name, Browse to the CA Root certificate location & Select
- Select “PEM” for Cert Format & “Trusted CA” for Cert Type. Upload the cert.
- Successfully uploaded CA Root Certificate
- Next, upload the elliptic curve Server certificate that was exported during the Windows Server 2008 R2 Installation.
- Select “PEM” for Cert Format, Server Cert for Cert Type, & Upload
- Successfully uploaded Server Certificate
- View & Verify General / Details on the elliptic curve CA/Server Certificate